C/C++
title: Secure development in C/C++
audience: senior/medior developers, lead devs, testers and security champions
duration: 1 or 2 days (7 or 12 hrs education time), depending on the actual kit of topics applicable/required (see Agenda below)
developed by: Marek Zachara
We assume that the developers attending the secdev course:
are familiar with the C/C++ language, can compile and execute the programs
specific focus of the course (see below) may result in additional prerequisites
DIY code and ASVS audit
Due to the variety of applications, ranging from embedded to large scale deployments, real-time and critical systems that are built in C/C++, we recommend to tailor the training for the specific needs of the particular development team.
The list of modules below illustrate the scope to choose from, however the exact scope and detail level is pre-arranged to suit the specific needs of the attendees.
Defense in depth principles
Standards and practices
Various types of weaknesses and vulnerabilities
Threat modeling
Risk assessment
Security by design
Checkpoints
Stack overflows
Heap overflows
String formatting issues
Array and string indexing
Integer overflows
Float limitations
Type casts
Secure memory handling
Safe pointers
Removal of sensitive data
Common errors
Injections
Unsafe type casts and conversions
Regular expressions
Validation practices
Symmetric and asymmetric encryption
Communication encryption
Storage encryption
Password handling
Deadlocks, starvation, etc.
Race conditions
Accessing external resources
Automated analysis with existing tools
Code review
OWASP ASVS
Safe and unsafe APIs
Secure libraries
Module isolation, wrappers, etc.
Lead trainer:
Co-trainers:
